Plateforme
wordpress
Composant
post-smtp
Corrigé dans
3.8.1
CVE-2026-3090 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Post SMTP WordPress plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to session hijacking, defacement, or redirection. The issue affects versions from 0.0.0 through 3.8.0 and is mitigated by upgrading to version 3.9.0.
Successful exploitation of CVE-2026-3090 allows an attacker to inject malicious JavaScript code into pages viewed by other users of the WordPress site. This can lead to a variety of attacks, including stealing user cookies and session tokens, redirecting users to phishing sites, or even defacing the website. The vulnerability is particularly concerning because it requires the Post SMTP Pro plugin and its Reporting and Tracking extension to be installed, expanding the potential attack surface. The attacker does not need to be authenticated to inject the script, making it a high-risk vulnerability.
CVE-2026-3090 was publicly disclosed on 2026-03-18. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of XSS exploitation suggests a medium probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
Websites using the Post SMTP plugin, particularly those with the Post SMTP Pro plugin and its Reporting and Tracking extension enabled, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the exploitation of this vulnerability on other sites.
• wordpress / composer / npm:
grep -r 'event_type' /var/www/html/wp-content/plugins/post-smtp/• wordpress / composer / npm:
wp plugin list --status=active | grep 'post-smtp'• wordpress / composer / npm:
wp plugin list --status=active | grep 'post-smtp-pro'• wordpress / composer / npm:
wp option get post_smtp_reporting_enableddisclosure
Statut de l'Exploit
EPSS
0.08% (percentile 24%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-3090 is to upgrade the Post SMTP plugin to version 3.9.0 or later, which contains the necessary fixes. If upgrading immediately is not possible, consider temporarily disabling the Reporting and Tracking extension within the Post SMTP Pro plugin. Input validation and output escaping improvements are the core of the fix. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the 'event_type' parameter and confirming that it is properly sanitized and does not execute.
Update to version 3.9.0, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-3090 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Post SMTP WordPress plugin versions 0.0.0–3.8.0, allowing attackers to inject malicious scripts.
You are affected if you are using Post SMTP WordPress plugin versions 0.0.0 through 3.8.0 and have the Post SMTP Pro plugin with the Reporting and Tracking extension enabled.
Upgrade the Post SMTP plugin to version 3.9.0 or later. As a temporary workaround, disable the Reporting and Tracking extension within the Post SMTP Pro plugin.
While no public exploits are currently known, the ease of XSS exploitation suggests a medium probability of exploitation.
Refer to the Post SMTP website and WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.